Yeah. This is a programming task rather than a configuration task, sorry.

- C

On Sep 14, 2006, at 1:50 AM, Simon Hang wrote:

Thanks Chris,

But REMOTE_USER environment variable is only available in CGI mode. It's okay for zope3, but no working for zope3.

I know there is a way to do similar things: use apache 2.0.x and mod_auth_sspi and pass the information either use http head or part of URL. But it's a not very nice solution. That's why I started to look an alternative solution. But it seems impossible to implement in zope3 use auth-plugin.

Maybe it's time to stop thinging about this. :(


On 9/14/06, Chris McDonough <[EMAIL PROTECTED]> wrote: The right thing to do here is probably to just use something like and trust the REMOTE_USER environment
variable passed by Apache... let somebody else worry about
maintaining it. ;-)  One strategy for doing this is described at
#step1 .

On Sep 13, 2006, at 9:37 AM, Philipp von Weitershausen wrote:

> Gary Poster wrote:
>> On Sep 13, 2006, at 2:30 AM, Philipp von Weitershausen wrote:
>>> Simon Hang wrote:
>>>> Hi,
>>>>  I'm thinging to write a NTLM credential plugin for zope3. But
>>>> as I know, ntlm use 4-way handshake procedure, that means it
>>>> needs two round-trips between server(zope3) and client(browser).
>>>>  When I look in the credential plugins, it has challenge mothed.
>>>> But seems it is only design for 1 round-trip protocol. It can
>>>> issue one challenge, and return to parent script.
>>> I don't see how the PAU only allows one "round-trip".
>> AIUI (I just looked up NTLM last night out of curiosity: see
>>, the problem
>> is that the 4 way handshake has to happen *within a single
>> connection*.
> Ack. Ok, I didn't know that. Frankly, I personally don't care much
> about NTLM anyways...
>> Apparently MS abuses HTTP to perform this.  Implementing it in
>> pluggable auth made me scratch my head a bit, so I didn't reply.
>> You would need to slurp the request, then push back to the
>> response, then slurp the same request again, then push back to the
>> response, then slurp one more time, and finally reply with the
>> real request.  Describing the problem to Benji, he mentioned WSGI--
>> that does seem like the only way I can imagine this working, and
>> that would be tricky enough, especially if you needed to reach
>> into Zope for the managed credentials.  Once the WSGI plugin did
>> its magic, it would need to put something in the WSGI request that
>> a pluggable auth plugin was willing to accept as authentication.
>> On the bright side, if you did this with WSGI you might be able to
>> offer this as a generic Python WSGI NTLM tool that required only
>> minimal integration with the back end app server.
> Yes, WSGI definitely sounds like a good place to put this then.
> Perhaps the WSGI middleware could "fake" a client that uses a more
> standard authentication system (e.g. Basic Auth) to the WSGI
> application, that way it'd be transparent to the WSGI application.
> Not sure if that's possible with NTLM, though.
> _______________________________________________
> Zope3-users mailing list

Zope3-users mailing list

Zope3-users mailing list

Reply via email to